This observation matches with this: Spam for Lead Generation?
Are you able to see the IP addresses of send-magic-link requests? Can you check if they are also from Tor network? Maybe attacker is now checking another mail list.
1 Like
Where could I find the IP addresses?
Ghost itself doesn’t collect access logs. You need to collect access logs on your setup, then filter it by the /members/api/send-magic-link/ path.
I now see that the pattern I mentioned was just the tip of the iceberg on a larger spam attack more similar to the ones I’ve experienced before.
The difference was that this time it was going through the front end, and all the traffic was from exist node IP addresses. So I had to blacklist all exit nodes from that endpoint with my Nginx reverse proxy.
I’m still getting failed spam to the unchanged magic link endpoint, coming from the clearnet, but it just 404s :)
Another thing I did, finally, which I recommend other self-hosters do also, is set up a webhook from my transactional SMTP provider (Postmark), which emails me (via ActivePieces) if there are bounces/complaints/etc. The spam attacks tend to generate bounces pretty early on, and this system already caught when my fix hadn’t been deployed correctly, and spam was still getting through.
As for the handful that confirmed, I’m unclear about them. Maybe a few real people clicked confirm? I wonder if the IP for the confirmation matches the IP that submitted the sign-up. Looking back, I see a similar pattern with multiple sign-ins on first subscribe, going back a bit, so if it is spam signups it’s been going on longer, at very low volume. I noticed some of those addresses clicked all the links in my newsletter right when it arrived, which seemed suspicious, but a lot of email security software does this. I’m not sure whether to delete these members or not.